OSINT

Project Scope

OSINTing of TheReserve's corporate website, which is exposed on the external network of TheReserve. Note, this means that all OSINT activities should be limited to the provided network subnet and no external internet OSINTing is required.

External (internet) OSINT gathering.

Summary

For OSINT as the Project Scope states only the provided network is in scope including the public-facing web server. On the web server, we will find a team page with usernames and pictures. Inspecting these shows that the image names include the full name and that the directory of the image's location has a directory listing. From there, all team members’ names can be gathered. Besides the usernames, an email address can be found on the contact page. With this information, a list of usernames and email addresses can be compiled.

With the given password base list the password policy and the restricted special characters, a wordlist will be created to use for brute force attacks on the login pages of the public-facing web servers.

WEB 10.200.XXX.13

Users

On the Meet the Team page, usernames with pictures can be found. Some users have full names documented, others only the first name.

Looking at the page source, the pictures are located at /october/themes/demo/assets/images.

Visiting the location shows that directory listing is active and all usernames with first and last names can be extracted.

Looking at the footer of the page, two more usernames can be discovered.

On the Contact Us page, an email is given to send a CV to the company. From this mail, we can derive several emails with the previously found usernames.

With the information gathered, we are able to craft a users.txt wordlist.

users.txt

antony.ross
ashley.chan
brenda.henderson
charlene.thomas
christopher.smith
emily.harvey
keith.allen
laura.woo
leslie.morley
lynda.gordon
martin.savage
mohammad.ahmed	
paula.bailey
rhys.parsons
roy.sims
aimee.walker
patrick.edwards
application
antony.ross@corp.thereserve.loc
ashley.chan@corp.thereserve.loc
brenda.henderson@corp.thereserve.loc
charlene.thomas@corp.thereserve.loc
christopher.smith@corp.thereserve.loc
emily.harvey@corp.thereserve.loc
keith.allen@corp.thereserve.loc
laura.wood@corp.thereserve.loc
leslie.morley@corp.thereserve.loc
lynda.gordon@corp.thereserve.loc
martin.savage@corp.thereserve.loc
mohammad.ahmed@corp.thereserve.loc	
paula.bailey@corp.thereserve.loc
rhys.parsons@corp.thereserve.loc
roy.sims@corp.thereserve.loc
aimee.walker@corp.thereserve.loc
patrick.edwards@corp.thereserve.loc
application@corp.thereserve.loc

users_mail.txt

antony.ross@corp.thereserve.loc
ashley.chan@corp.thereserve.loc
brenda.henderson@corp.thereserve.loc
charlene.thomas@corp.thereserve.loc
christopher.smith@corp.thereserve.loc
emily.harvey@corp.thereserve.loc
keith.allen@corp.thereserve.loc
laura.wood@corp.thereserve.loc
leslie.morley@corp.thereserve.loc
lynda.gordon@corp.thereserve.loc
martin.savage@corp.thereserve.loc
mohammad.ahmed@corp.thereserve.loc	
paula.bailey@corp.thereserve.loc
rhys.parsons@corp.thereserve.loc
roy.sims@corp.thereserve.loc
aimee.walker@corp.thereserve.loc
patrick.edwards@corp.thereserve.loc
application@corp.thereserve.loc

Passwords

With the password base list, the policy and the restricted special characters, a wordlist will be created with john the ripper.

https://tryhackme.com/room/passwordattacks Offline Attacks - Rule Based

password_base_list.txt

TheReserve
thereserve
Reserve
reserve
CorpTheReserve
corpthereserve
Password
password
TheReserveBank
thereservebank
ReserveBank
reservebank

password_policy.txt

The password policy for TheReserve is the following:

* At least 8 characters long
* At least 1 number
* At least 1 special character

The project brief provides some restricted special characters used required password policy.

!@#$%^

To generate a password list with the information gathered a rule to mangle the password base is required. To do so the john.conf was extended by a custom rule.

sudo nano /opt/john/john.conf

[List.Rules:RedTeam-Capstone]
Az"[0-9]" $[!@#$%^]

Generate the password.txt

john --wordlist=base.txt --rules=RedTeam-Capstone --stdout > passwords.txt